WebApp Sec mailing list archives
Re: Encrypted cookies
From: Lucas Oman <me () lucasoman com>
Date: Thu, 10 Jan 2008 16:13:45 -0500
Ron wrote:
me why, it's a long story). So here's what they propose: to take the username, hash of the password, and date the user logged in, encrypt them with a strong encryption algorithm, and store them in a cookie (along with a hash to ensure integrity).
Be sure to include a server-side secret string in the hash so that the data can't be altered, re-encrypted, and re-hashed to appear as if integrity had been maintained. Also, a quick expiry of the cookie, enforced by the server using a timestamp stored in the encrypted string, can mitigate the risk of replay attacks.
Lucas -- Web Software Dev Consultant Nerd 912.655.9594 www.lucasoman.com -------------------------------------------------------------------------Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Encrypted cookies Ron (Jan 10)
- Re: Encrypted cookies Andrew van der Stock (Jan 10)
- Re: Encrypted cookies Andy Steingruebl (Jan 11)
- Re: Encrypted cookies Andy Steingruebl (Jan 10)
- Re: Encrypted cookies Lucas Oman (Jan 10)
- RE: Encrypted cookies Brokken, Allen P. (Jan 10)
- Re: Encrypted cookies Orlin Gueorguiev (Jan 11)
- <Possible follow-ups>
- Re: Encrypted cookies Rico Secada (Jan 10)
- Fw: Re: Encrypted cookies Rico Secada (Jan 11)
- Re: Fw: Re: Encrypted cookies Ron (Jan 15)
- Re: Encrypted cookies Andrew van der Stock (Jan 10)